Malicious hacker steals Hotmail passwords

Hotmail password-stealing exploits are no longer the sole province of bug-hunting, ethical hackers.

Microsoft's MSN Hotmail said it has implemented a patch to thwart a JavaScript exploit that snared the passwords of about ten users. Although Hotmail has faced numerous similar exploits in the past, they were merely demonstrations crafted by security-minded programmers anxious to expose security holes before they were exploited for real.

This one appears to be the first known instance in which users actually lost their Hotmail passwords.

"We're not aware of any [previous] passwords successfully stolen in this type of exploit," said Hotmail product manager Laura Norman.

The Trojan horse password-stealing scheme involved an emailed attachment with a Web page link. A script running on the attacker's Web page then negotiated a request to change the password with the Hotmail server, locking the user out of the account and giving the attacker access to it.

Hotmail was not more specific on the mechanics of the script or how the hole was patched. Norman did say Hotmail would step up its education efforts to users regarding the safety of opening attachments.

"We are increasing our messaging to users about only opening attachments from trusted sources," she said.

Trojan horses consist of executable content that acts in a way other than the user expects it to. JavaScript is a scripting language developed by Netscape Communications for authoring Web site actions that do not require user interaction; pop-up windows, for instance, are commonly authored with JavaScript. JavaScript is unrelated to Java, Sun Microsystems' platform-independent computer programming language.

JavaScript has been the tool of choice for numerous bug hunters and hackers because of its ability to carry out actions on the user's computer without his or her consent or knowledge. For this reason, many security-conscious Web surfers disable the technology when surfing the Web.

The perpetrator's Web site was hosted by free home page provider Tripod, which is owned by Lycos. Norman said that Tripod was "very cooperative," but she declined to state whether the firms were taking action against the password thief.